[Samba] Adding machine to domain fails - check permissions? (ldap)

Eduard Witteveen samba at nergens.org
Fri Aug 12 08:25:54 GMT 2005 

Dear list,

Whe i trying to add a machine to the domain(ldap/pdc) i get the 
following error:

> Error: modifications require authentication at 
> /usr/share/perl5/smbldap_tools.pm line 891, <DATA> line 283.
>   [2005/08/11 16:46:54, 0] 
> rpc_server/srv_samr_nt.c:_samr_create_user(2324)
> _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w 
> "eduard-laptop$"' gave 127

Since i used the user Administrator, i login from the windows-machine on 
the linux-computer running samba with the username Administrator 
(account which is stored inside ldap), i *can* run the command 
succesfull. (this user is actually root since i changed the gidnumber 
and the uidnumber both to 0)

But when this machine has been added manually to the ldap-database, i 
still cannot join the domain and samba puts information like the 
following in the log:

> [2005/08/11 17:05:07, 0] lib/smbldap.c:smbldap_open(882)
>   smbldap_open: cannot access LDAP when not root..
> .....
> [2005/08/11 17:05:22, 0] lib/smbldap.c:smbldap_search_suffix(1176)
>   smbldap_search_suffix: Problem during the LDAP search:  (Timed out)
> [2005/08/11 17:05:22, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2350)
>   could not add user/computer eduard-laptop$ to passdb.  Check 
> permissions?

I've attached the smb.conf for completeness. Furthermore, im running 
Version 3.0.14a-Ubuntu

Please let me know, how i can let samba execute the "add machine script" 
successfull

-- 
Eduard Witteveen
+31 (0)6 414 789 23
nl_NL  fy_NL  en_US

-------------- next part --------------
# Global parameters
[global]
        workgroup = hawarit
        netbios name = pdc
	enable privileges = yes
#        interfaces = 192.168.5.11
        username map = /etc/samba/smbusers
        server string = Samba Server %v
        security = user
        encrypt passwords = true
#        min passwd length = 3
	min print space = 3
        obey pam restrictions = No
        #unix password sync = Yes
        #passwd program = /usr/sbin/smbldap-passwd -u %u
	#passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
        ldap passwd sync = Yes
        log level = 0
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 100000
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        mangling method = hash2
        Dos charset = 850
        Unix charset = ISO8859-1

        logon script = logon.bat
        logon drive = H:
        logon home =
        logon path =

        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = no
        passdb backend = ldapsam:ldap://127.0.0.1/
        # passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com"
 # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
        ldap admin dn = cn=manager,dc=hawarit,dc=com
        ldap suffix = dc=hawarit,dc=com
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Users

#TODO: use tls on ldap server one day!
#        ldap ssl = start tls
        ldap ssl = no
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        ldap delete dn = Yes
        #delete user script = /usr/sbin/smbldap-userdel "%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g" 
        #delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

        # printers configuration
        printer admin = @"Print Operators"
        load printers = Yes
        create mask = 0640
        directory mask = 0750
        nt acl support = No
        printing = cups
        printcap name = cups
        deadtime = 10
        guest account = nobody
        map to guest = Bad User
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
        show add printer wizard = yes
        ; to maintain capital letters in shortcuts in any of the profile folders:
        preserve case = yes
        short preserve case = yes
        case sensitive = no

[homes]
        comment = repertoire de %U, %u
        read only = No
        create mask = 0644
        directory mask = 0775
        browseable = No

[netlogon]
        path = /home/samba/netlogon/
	browseable = No
        read only = yes

[profiles]
        path = /home/samba/profiles
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = No
        guest ok = Yes
        profile acls = yes
        csc policy = disable
        # next line is a great way to secure the profiles 
        force user = %U 
        # next line allows administrator to access all profiles 
        valid users = %U @"Domain Admins"

[printers]
        comment = Network Printers
        printer admin = @"Print Operators"
        guest ok = yes 
        printable = yes
        path = /home/samba/spool/
        browseable = No
        read only  = Yes
        printable = Yes
        print command = /usr/bin/lpr -P%p -r %s
        lpq command = /usr/bin/lpq -P%p
        lprm command = /usr/bin/lprm -P%p %j

[print$]
        path = /home/samba/printers
        guest ok = No
        browseable = Yes
        read only = Yes
        valid users = @"Print Operators"
        write list = @"Print Operators"
        create mask = 0664
        directory mask = 0775

[public]
        comment = Repertoire public
        path = /public
	browseable = Yes
        guest ok = Yes
        read only = No
        directory mask = 0775
        create mask = 0664

More information about the samba mailing list